[Pki-devel] [PATCH] fix for existing CA for HSM
commit 5efd691e71f32b350737d95fe08f470164e60192 Author: Ade Lee Date: Thu May 12 00:35:41 2016 +0200 Fix existing ca setup to work with HSM If the existing CA keys are in an HSM, the code fails to load the keys becauseit does not take into account the full nickname. This small fix addresses this bug. Please review, Thanks, AdeFrom 5efd691e71f32b350737d95fe08f470164e60192 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 12 May 2016 00:35:41 +0200 Subject: [PATCH] Fix existing ca setup to work with HSM If the existing CA keys are in an HSM, the code fails to load the keys becauseit does not take into account the full nickname. This small fix addresses this bug. --- .../src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 7 ++- .../cms/src/org/dogtagpki/server/rest/SystemConfigService.java | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index c0f0ce1f405dd63232f1be6c15f8bd8d1a8d3c4b..527ed826ee8d7505354f523c36e3ad110219723b 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -2268,12 +2268,17 @@ public class ConfigurationUtils { certObj.setCertChain(certChainStr); } -public static KeyPair loadKeyPair(String nickname) throws Exception { +public static KeyPair loadKeyPair(String nickname, String token) throws Exception { CMS.debug("ConfigurationUtils: loadKeyPair(" + nickname + ")"); CryptoManager cm = CryptoManager.getInstance(); +if (token != null) { +if (!token.equals("internal") && !token.equals("Internal Key Storage Token")) +nickname = token + ":" + nickname; +} + X509Certificate cert = cm.findCertByNickname(nickname); PublicKey publicKey = cert.getPublicKey(); PrivateKey privateKey = cm.findPrivKeyByCert(cert); diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index f9415f520eb264fece8846339ed9da2904c7dbfa..3ed28bc7281814fe1be6b7c33e120ef5844ef412 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -424,7 +424,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou if (request.isExternal() && tag.equals("signing")) { // external/existing CA // load key pair for existing and externally-signed signing cert CMS.debug("SystemConfigService: loading signing cert key pair"); -KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname()); +KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname(), certData.getToken()); ConfigurationUtils.storeKeyPair(cs, tag, pair); } else if (!request.getStepTwo()) { -- 1.8.3.1 ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] 743 Fixed install-only message in external CA case.
On 05/11/2016 02:01 PM, Endi Sukma Dewata wrote: Previously, in external CA case if pkispawn was executed with pki_skip_configuration=True, it would stop the execution before the step 1 was fully completed (i.e. generating CSR), but it would incorrectly show a message indicating the CSR has been generated. The code that displays the installation summary has been fixed to check for pki_skip_configuration first before checking for external CA case to ensure that it displays the appropriate message for each step. The code that generates the Tomcat instance systemd service link was moved into instance_layout.py to avoid redundant executions. The pkispawn and pkidestroy have also be modified to remove redundant log of deployment parameters in master dictionary. ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ACK ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [PATCH] 744-745 Fixed missing CSR extensions for external CA case.
The deployment tool has been modified to generate CSR with basic constraints and key usage extensions for the externally-signed CA signing certificate. The ConfigurationUtils.handleCertRequest() has been modified to throw an exception on error during CSR generation instead of silently ignoring it. The method has also been renamed to generateCertRequest() for clarity. https://fedorahosted.org/pki/ticket/2312 -- Endi S. Dewata >From ab1a231d3f61dc41ad03fbc5e9c0a362aa0ca3ea Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 11 May 2016 09:42:53 +0200 Subject: [PATCH] Fixed error handling ConfigurationUtils.handleCertRequest(). The ConfigurationUtils.handleCertRequest() has been modified to throw an exception on error during CSR generation instead of silently ignoring it. The method has also been renamed to generateCertRequest() for clarity. --- .../cms/servlet/csadmin/ConfigurationUtils.java| 58 -- .../dogtagpki/server/rest/SystemConfigService.java | 7 ++- 2 files changed, 36 insertions(+), 29 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index c0f0ce1f405dd63232f1be6c15f8bd8d1a8d3c4b..88e85a01a8d21afeb4cd46a2250545e7b2084c3a 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -35,11 +35,9 @@ import java.security.InvalidKeyException; import java.security.KeyPair; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; import java.security.Principal; import java.security.PublicKey; import java.security.SecureRandom; -import java.security.SignatureException; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.CertificateExpiredException; @@ -119,6 +117,7 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.EAuthException; import com.netscape.certsrv.authentication.IAuthSubsystem; import com.netscape.certsrv.authorization.IAuthzSubsystem; +import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.ConflictingOperationException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; @@ -2894,39 +2893,37 @@ public class ConfigurationUtils { cert.setRequest(formattedCertreq); } -public static void handleCertRequest(IConfigStore config, String certTag, Cert cert) throws EPropertyNotFound, -EBaseException, InvalidKeyException, NotInitializedException, TokenException, NoSuchAlgorithmException, -NoSuchProviderException, CertificateException, SignatureException, IOException { +public static void generateCertRequest(IConfigStore config, String certTag, Cert cert) throws Exception { + +CMS.debug("generateCertRequest: getting public key for certificate " + certTag); -CMS.debug("ConfigurationUtils: handleCertRequest() begins"); -// get public key String pubKeyType = config.getString(PCERT_PREFIX + certTag + ".keytype"); String algorithm = config.getString(PCERT_PREFIX + certTag + ".keyalgorithm"); -X509Key pubk = null; +X509Key pubk; if (pubKeyType.equals("rsa")) { pubk = getRSAX509Key(config, certTag); + } else if (pubKeyType.equals("ecc")) { pubk = getECCX509Key(config, certTag); + } else { -CMS.debug("handleCertRequest() - " + "pubKeyType " + pubKeyType + " is unsupported!"); -return; +CMS.debug("generateCertRequest: Unsupported public key type: " + pubKeyType); +throw new BadRequestException("Unsupported public key type: " + pubKeyType); } -CMS.debug("handleCertRequest: tag=" + certTag); -if (pubk == null) { -CMS.debug("handleCertRequest: error getting public key null"); -return; -} +// public key cannot be null here -// get private key +CMS.debug("generateCertRequest: getting private key for certificate " + certTag); String privKeyID = config.getString(PCERT_PREFIX + certTag + ".privkey.id"); -CMS.debug("privKeyID=" + privKeyID); + +CMS.debug("generateCertRequest: private key ID: " + privKeyID); byte[] keyIDb = CryptoUtil.string2byte(privKeyID); PrivateKey privk = CryptoUtil.findPrivateKeyFromID(keyIDb); if (privk == null) { -CMS.debug("handleCertRequest: error getting private key"); +CMS.debug("generateCertRequest: Unable to find private key for certificate " + certTag); +throw new BadRequestException("Unable to find private key for certificate " + certTag); }
[Pki-devel] [PATCH] 743 Fixed install-only message in external CA case.
Previously, in external CA case if pkispawn was executed with pki_skip_configuration=True, it would stop the execution before the step 1 was fully completed (i.e. generating CSR), but it would incorrectly show a message indicating the CSR has been generated. The code that displays the installation summary has been fixed to check for pki_skip_configuration first before checking for external CA case to ensure that it displays the appropriate message for each step. The code that generates the Tomcat instance systemd service link was moved into instance_layout.py to avoid redundant executions. The pkispawn and pkidestroy have also be modified to remove redundant log of deployment parameters in master dictionary. -- Endi S. Dewata >From c7ae690180e274472c78710fa2a6d09f9604d9e2 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 11 May 2016 19:35:07 +0200 Subject: [PATCH] Fixed install-only message in external CA case. Previously, in external CA case if pkispawn was executed with pki_skip_configuration=True, it would stop the execution before the step 1 was fully completed (i.e. generating CSR), but it would incorrectly show a message indicating the CSR has been generated. The code that displays the installation summary has been fixed to check for pki_skip_configuration first before checking for external CA case to ensure that it displays the appropriate message for each step. The code that generates the Tomcat instance systemd service link was moved into instance_layout.py to avoid redundant executions. The pkispawn and pkidestroy have also be modified to remove redundant log of deployment parameters in master dictionary. --- .../pki/server/deployment/scriptlets/configuration.py | 7 --- .../pki/server/deployment/scriptlets/instance_layout.py | 8 base/server/sbin/pkidestroy | 5 - base/server/sbin/pkispawn | 13 - 4 files changed, 12 insertions(+), 21 deletions(-) diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index fc5dc84c4bbcde0c8972705ab64ebdcada20fc4d..373b58ef45cf84fd5aa0be1856cff5ee23b13aba 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -40,12 +40,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def spawn(self, deployer): -# ALWAYS establish the following Tomcat instance symbolic link since -# this link is required by both automatic pkispawn instance -# configuration as well as manual browser GUI instance configuration -deployer.symlink.create(deployer.mdict['pki_systemd_service'], -deployer.mdict['pki_systemd_service_link']) - if config.str2bool(deployer.mdict['pki_skip_configuration']): config.pki_log.info(log.SKIP_CONFIGURATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) @@ -354,4 +348,3 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): if len(deployer.instance.tomcat_instance_subsystems()) == 1: if deployer.directory.exists(deployer.mdict['pki_client_dir']): deployer.directory.delete(deployer.mdict['pki_client_dir']) -deployer.symlink.delete(deployer.mdict['pki_systemd_service_link']) diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py index 2af86bfeb246cf10d297af8ca8d8b8391c55f15a..98d82ff98d9cb40e1ee2116250b8271b04be868f 100644 --- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py @@ -293,12 +293,20 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): deployer.mdict['pki_symkey_jar'], deployer.mdict['pki_symkey_jar_link']) +# create Tomcat instance systemd service link +deployer.symlink.create(deployer.mdict['pki_systemd_service'], +deployer.mdict['pki_systemd_service_link']) + def destroy(self, deployer): config.pki_log.info(log.INSTANCE_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) if len(deployer.instance.tomcat_instance_subsystems()) == 0: + +# remove Tomcat instance systemd service link +deployer.symlink.delete(deployer.mdict['pki_systemd_service_link']) + # remove Tomcat instance base deployer.directory.delete(deployer.mdict['pki_instance_path']) # remove Tomcat instance logs diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy index 404298ba9413135a7107c3777120b2dc7a116
Re: [Pki-devel] [PATCH] pki-cfu-0121-Ticket-1508-Missing-token-prefix-for-connectors-in-T.patch
addressed Endi's comment and checked in: commit c5d9d3ac288045045aa387dfc53f1157c3a7e4b5 thanks, Christina On 05/10/2016 12:00 PM, Christina Fu wrote: This patch adds the token prefix to connector nickName's when installed with HSM. Patch tested on RHEL7.2 VM with lunasa. thanks, Christina ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel